GDPR: Five myths you will encounter on your compliance journey

The General Data Protection Regulation comes into force in May 2018. We explore common myths surrounding GDPR

The General Data Protection Regulation (GDPR) comes into force in May 2018. For the information commissioner, GDPR creates an onus on companies to understand the risks they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box-ticking exercise, and instead working on a framework that can be used to build a culture of privacy that pervades an entire organisation, the information commissioner recently said.

Download this free guide

Getting up to scratch with GDPR compliance

This 12 page GDPR mythbuster will help separate the rights from the wrongs, whilst giving you the tools you need to build a regulation-compliant business.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Let’s explore a few areas of misunderstanding I have encounters when speaking to IT suppliers and customers.

Myth 1: It is just about hacking – Although many of the news stories focus on hacking and GDPR breaches, GDPR is not just about hacking. For example, it currently costs £10 for individuals to get their data from organisations under data protection law. Under the GDPR, it will be free subject to various exemptions such as repetitive requests, manifestly unfounded or excessive requests or further copies.

As a result, organisations can probably expect more individuals wanting a copy of their data, including customers and employees both past and present. The time limit for responding to these requests is 30 days. If an organisation receives many requests from employees or customers, is it prepared to provide this personal data to them within the 30-day time limit?

Myth 2: It is all about avoiding fines – Many people focus on the high fines in the GDPR, which are up to €20m, or 4% of worldwide annual turnover. However, also of concern is that if there is a data breach that poses a high risk to individuals (for example, if all credit card details are lost or stolen so that fraudsters can use those details), the organisation has to notify those individuals.

Now organisations might have to notify their whole customer base of this kind of data breach, it could lead to a rush of enquiries by customers, and many may want to switch to competitors. Hence, losing a large number of customers in a short period of time can obviously severely impact upon an organisation’s reputation and revenues. Any fines may then come later.

Myth 3: It is just an IT problem – Because GDPR is heavily linked with personal data, the word “data” often signals that this is some kind of IT issue. However, GDPR is a cultural change in terms of how organisations process personal data throughout the organisation – where personal data is obtained from, how it is used, where it is stored, who it is passed to and how those parties use that data.

As a result, complying with GDPR will often be a team effort from different departments in the organisation. IT teams that feel it may be their responsibility to soldier on and deal with GDPR alone should be letting the whole organisation know about GDPR and explaining it is not just an IT issue.

Myth 4: GDPR compliance is a job for the IT director – It is mandatory for public sector bodies and certain other organisations to have a data protection officer. Many organisations may feel that if they need a data protection officer under the GDPR, then they might just appoint their IT director as a data protection officer.

However, legal developments suggest that when appointing a data protection officer there should not be a conflict of interest – for example, if the IT director is responsible for the organisation’s processing of personal data, the IT director cannot also be responsible for signing off on GDPR compliance regarding the processing of it.

Myth 5: Compliance can be achieved very quickly – The way the GDPR obliges organisations to take another look at how they process personal data, such as their customer database, will need significant organisational work, involving departments including sales and marketing, finance, HR, IT and legal. Given the GDPR comes into force in May 2018, this does not leave a lot of time for an organisation to become GDPR compliant.

Join the conversation

2 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

Love the post Jimmy. I've been doing lots of research on GDPR and this is helpful to get past some of the myths I've read. How difficult do you think it will be for companies to comply file sharing processes with GDPR? I wanted to hear a professional's take on that.

GDPR is too vague. for example, if someone invokes a right to erasure, does that mean I have to delete all by backups / images as it will be impossible to extract the data without destroying the backup. And what about email from the same person? do we need to delete all correspondence, both sent to and received (because the sent usually contains the originators email). I have yet to find a definitive answer as all I read is what the rules are, but not how they are implimented